Key preference

Darren Tucker dtucker at zip.com.au
Fri Sep 20 23:47:06 EST 2013


On Fri, Sep 20, 2013 at 02:51:53PM +0200, Josef Wolf wrote:
> I have a problem specifying identities with the -i option.
[...]
> This seems strange to me. I have requested a _specific_ key with the -i
> option. Why is a different key tried _before_ this specific key is even
> considered?

If your ssh-agent has keys those will be offered to the server first.
You can change that with the IdentitiesOnly option.

> Another annoyance is that a private key will not be loaded when the
> corresponding public key is not available.

That's because if the private key is encrypted it'd need to prompt you
for the passphrase every time you made a connection whether the key can
be used or not.

The way pubkey auth works is the client says "if I proved I had the
private key corresponding to this public key fingerprint would that
work?" and the server replies with yes or no.  In your case, what's
probably happening is that you have keys in your agent which the server
will also accept.

> PS: Is the list on secureshell at securityfocus.com dead? If so, then
>     http://www.openssh.org/de/list.html should be updated accordingly.

>From the archive it looks like it died some time in 2011.  I'll remove
it.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list